API Gateway /restapis permissions
delenamalan opened this issue Β· comments
Community Note
- Please vote on this issue by adding a π reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Bug Report
Error Description
I got permissions errors like these:
User: arn:aws:iam::123:user/deploy-user is not authorized to perform: apigateway:DELETE on resource: arn:aws:apigateway:eu-central-1::/restapis/123/deployments/123 because no identity-based policy allows the apigateway:DELETE action
Unfortunately, I didn't take not of all of them exactly.
Command Run
sls deploy
Console Output
User: arn:aws:iam::123:user/deploy-user is not authorized to perform: apigateway:DELETE on resource: arn:aws:apigateway:eu-central-1::/restapis/123/deployments/123 because no identity-based policy allows the apigateway:DELETE action
Domain Manager Configuration
Replace this with your own serverless.yml
file (anonymized, of course) to help us better resolve your issue.
custom:
customDomain:
domainName: ${env:DOMAIN}
route53Profile: ${env:AWS_ROUTE53_PROFILE}
route53Region: ${env:AWS_ROUTE53_REGION}
certificateArn: ${env:CERTIFICATE_ARN}
apiType: rest
endpointType: edge
basePath: ''
Versions
- Domain Manager version(s): 6.2.2
- Node/npm version: Node v18.11.0/npm 8.19.2
- Serverless Version: 3.27.0
- Lambda Code: JavaScript
Possible Solution
Cloudformation permissions like these:
- Effect: Allow
Action:
- apigateway:POST
- apigateway:GET
- apigateway:PUT
Resource:
- !Sub arn:aws:apigateway:${Region}::/restapis
- !Sub arn:aws:apigateway:${Region}::/restapis/*
- Effect: Allow
Action:
- apigateway:DELETE
Resource:
- !Sub arn:aws:apigateway:${Region}::/restapis/*
Hi @delenamalan
It's not related to the plugin. The plugin does not manage AWS permissions.
@rddimon thank you, but the plugin does provide suggested permissions in the README.md and Cloudformation template though, right?
In the readme, we just provided an example of the needed permissions.
We can't cover all the single examples and this is not the scope of the plugin.
Reopened it as it can be helpful for the other folks.
We will take a look at it.
Thank you. I get what you're saying now though so totally okay if this is out of the scope of the plugin :)